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(57) Abstract: The present invention discloses a method for enabling at least a part of a Smart Card. According to a preferred 
embodiment of the present invention, a one time activation code is generated in a server al a telephone operator. The activation code 
is sent via registered mail to a user of a Smart Card, e.g. a SIM card in a GSM cellular phone. When the user enters the activation code 
into the cellular phone, the entry is transmitted to the server for verification. Upon successful verification, the server transmits an 
enabling command to the phone for thereby enabling the intended part of the SIM card. This may be enabling of PKI functionalities 
that until now have been hidden in the SIM card and thus unavailable for the user. The user may then choose his own signing PIN for 
authentication, encryption and transaction signing. In case of enabling PKI functions, all necessary generation of private and public 
keys and establishment of certifications are carried through when the activation code is verified. 
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Method for enabling .PKI functions in a Smart Card 
Field of the invention 

The present invention is related to Smart Cards and 
communication network, in particular a mobile telephone 
system using a one time activation code for activating at 
least a part of a Smart Caird, e.g. PKI (Public Key 
Infrastructure) function in a SIM (Subscriber Identity 
Module) card. 

Background of the invention, 

PKI functions in a Smart Card, e.g. a SIM card localized in 
a GSM cellular phone, is normally protected by its own PIN 
code and PUK code (not the same as for the GSM part) . The 
PIN code is normally a relatively short personal number 
which has to be entered to enable the card for use. The PUK 
code is normally a much longer number which has to be 
entered after tree times of incorrectly entry of the PIN 
code. This prevents unauthorized access to the Smart Card. 

For security reasons the PUK code must be considerably 
longer than the PIN code. However, this emerges as a 
problem for the user because the code is difficult to 
remember. For most users it is necessary to store the PUK 
code e.g. on a piece of paper, and on rare occasions, when 
the PUK code is needed, it may probably be gone. Due to 
this, mobile telephone operators (or any other type of 
issuer) frequently have to replace the users Smart Card/ 
SIM. Because of security reasons, it is not a proper 
handling to reprint a PUK twice. This will. imply extra cost 
and work to renew the subscription with a new PUK and a 
Smart Card as well. 

The PUK code is a fixed code, thus requiring storage of the 
code locally in the Smart Card. An additional problem due 
to the fact that the PUK code is a fixed code, is that the 
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Smart Card is tied up to one user during its life time, and 
there is no possibility for changing the user for a certain 
subscription. This implies manufacturing and distribution 
of more Smart Card than necessary. 

Summary of the invention 

It is an object of the present invention to provide a 
method that eliminates the drawbacks described above. The 
features defined in the claims enclosed characterize this 
method . 

More specifically, according to the present invention an 
activation code replacing the PUK code is generated 
centrally and will be send preferably by registered mail to 
the user of the Smart Card that may be a SIM card localized 
in a cellular phone. The verification of the activation 
code is carried through simply by comparing (e.g. in a 
server of a telephone operator) the user entered activation 
code with the previously mailed one, which also is stored 
in the telephone operators activation server. The activa- 
tion code is a one time code, and replaces all the func- 
tions of the PUK code for the PKI function. Additionally it 
may be used to enable stored, but for the user previously 
hidden, functionalities in the Smart Card, e.g. PKI func- 
tionalities . 

Brief descripti on of the drawing 

Fig. 1 is a view of the components and the data flow in an 
embodiment of the present invention. 

Detailed descr iption 

The present invention will now be described in conjunction 
with an example embodiment referring to the above mentioned 
figure. However, the present invention is not limited to 
this particular embodiment, but may be used in other appli- 
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cations with various substitutions without departing from 
the scope of the invention as defined in the enclosed 
claims . 

The example embodiment is based upon a mobile telephone 
network wherein the fixed PUK codes are replaced with one 
time activation codes. In addition to replacing the tradi- 
tional functions of the PUK code, the activation code may 
also be used to enable PKI functionalities stored in the 
SIM cards of the subscribers. 

To make use of PKI functionalities, a user must in advance 
be registered and registration data must be verified at an 
RA (Registration Authority) . All relevant registration data 
must be available for the server generating activation 
codes, typically a server localized at a telephone opera- 
tor . 

After successful registration, the user may then be pro- 
vided with a one time activation code which is generated in 
the server. This code will be used to authenticate the user 
towards the server after the registration and to initiate 
the key generation process into the Smart Card. The one 
time activation code will be provided to the user in a 
sealed envelope that is sent by post, e.g. as a registered 
letter to the home address of the user. 

However, before the user may enter the activation code, a 
"SIM PKI menu" must be enabled. Thus, the PKI server 
transmits a - for the user's SIM card unique - code to the 
users phone to enable the "SIM PKI menu". This unique code 
should not be confused with the actual activation code 
described above. This "SIM PKI menu", have until now been 
resting invisibly in the SIM card not accessible to the 
user. The Activation Module in the PKI server will also 
fetch some unique parameters from the Card Production 
system, which also is stored in the particular SIM to be 
used as code for enable PKI menu in the SIM. 
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When the "SIM PKI menu" is enabled, the user enters the 
activation code in his/her handset to enroll to the 
service. The activation code is sent by SMS to the PKI 
Server. The user has 3 attempts to enter this code 
correctly. 

The Activation Module verifies that the entered activation 
code corresponds to the one previously transmitted one. The 
Activation Module then transmits a "Generate PKI keys 
enabling command" back to the SIM, and the key generation 
application in the SIM will generate key pairs comprising 
private key and verification public key. 

The verification public key (VPuK) is transmitted by SMS to 
the Activation Module, and the SMS is preferably encrypted 
according to GSM 03.48 for protection of sensitive 
information . 

The user is then requested to choose a PIN_SIGNKEY, which 
is a personal self chosen signing key used for e.g. 
transaction signing, encryption and authentication. 

In the case of successful verification, the Activation 
Portal connects to the CA to issue a valid certificate with 
the public key associated with the user. This certificate 
is at the same time sent to a certification directory. 

A confirmation of successful certification is sent back to 
the user and the PKI menu will then be disabled in the SIM. 
The PKI functions in the SIM card are now enabled. 

The present invention replaces the PUK code for the PKI 
part (not to be confused with that one for the GSM part) , 
which is usually, for security reasons, stored in two 
separated parts, with a one time activation code thus 
saving memory space and administration. 
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In addition, the present invention introduces a higher 
degree of. security as no PTJK is being stored neither 
centrally at the operator, nor in the terminal or on a 
piece of paper for the user to remember. 

The present invention enables generating keys in connection 
with use of PKI, thus allowing the user to choose the 
signing PIN for authentication and transaction signing 
himself. 

A further advantage with tlie present invention is that SIM 
cards may be reused for the user or for a new user then the 
PKI certificate renewal date (within 2-3 years) since new 
PKI data will be generated in the Smart Card for each new 
activation code. 

The above -described example of the present invention is for 
illustrative purposes only. Other implementations and vari- 
ations may be utilized without departing from the scope of 
the invention as defined in the following claims. 
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Paten t 



claim 



1. Method for enabling at least a part of a Smart Card, 
said Smart Card associated to a terminal, said terminal 
connected to a communication network to which a server also 
is connected, said Smart Card accessible for a user of said 
terminal , 

characterized in the following steps: 

- generating an activation code in said server 

- sending said activation code to said user 

- adapting said terminal to prompt said user for 
his/her reading of said activation code 

- on response to said user's entry of said reading of 
said activation code into said terminal, transmitting 
said entry to said server through said communication 
network 

- on responds to receiving said entry, comparing said 
entry with said activation code 

if said entry and said activation code are equal, 
transmitting an enabling command to said terminal 
through said communication network 

upon receiving said activation code, enabling said at 
least a part of said Smart Card. 

2. Method as defined in claim 1, 

characterized in that said part of said 
Smart Card is PKI functions and said server is a PKI 
server . 
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3. • Method as defined in claim 2, 

characterized in that the step of enabling 
further includes the following steps: 

generating a key pair including a private key and a 
public key 

requesting said user to choose and enter a signing, 
encryption and authentication PIN into said terminal 

transmitting said public key to said PKI server 
through said communication network 

from said PKI server, requesting a certificate for 
said user from a CA 

4. Method as defined in claim 2 or 3 , 

characterized in that said PKI functions 
is stored in said Smart Card, but hidden for the user until 
enabling. 

5. Method as defined in any of the preceding claims, 
characterized in that the step of adapting 
includes transmitting a menu enabling code to said terminal 
from said server providing said terminal with a menu for 
said prompting of said user for said reading of said 
activation code. 

6. Method as defined in any of the preceding claims, 
characterized in that said communication 
network is a GSM network, said terminal is a GSM mobile 
telephone, and said Smart Card is a SIM card. 

7. Method as defined in claim 6, 

characterized in that said transmitting of 
said reading from said terminal to said server is carried 
through via an SMS . 
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8. Method as defined in claim S or 7, 

characterized in that said activation code 
completely replaces the PUK code used for PKI . 

9. Method as defined in any of the preceding claims, 
characterized in that said activation code 
is sent to the user via registered mail. 
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